diff --git a/testbed/sqlServer/conf/application.yml b/testbed/sqlServer/conf/application.yml
new file mode 100644
index 000000000..1e48abf4d
--- /dev/null
+++ b/testbed/sqlServer/conf/application.yml
@@ -0,0 +1,138 @@
+spring:
+  profiles:
+    include:
+  datasource:
+    platform: sqlserver
+    driver-class-name: com.microsoft.sqlserver.jdbc.SQLServerDriver
+    url: jdbc:sqlserver://db:1433
+    username: sa
+    password: Password1
+  jpa:
+    properties:
+      hibernate:
+        dialect: org.hibernate.dialect.SQLServerDialect
+#server:
+#  port: 8443
+#  ssl:
+#    key-store: "/conf/keystore.p12"
+#    key-store-password: "changeit"
+#    keyStoreType: "PKCS12"
+#    keyAlias: "tomcat"
+shibui:
+  user-bootstrap-resource: file:/conf/users.csv
+  roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_PONY
+custom:
+  attributes:
+    # Default attributes
+    - name: eduPersonPrincipalName
+      displayName: label.attribute-eduPersonPrincipalName
+    - name: uid
+      displayName: label.attribute-uid
+    - name: mail
+      displayName: label.attribute-mail
+    - name: surname
+      displayName: label.attribute-surname
+    - name: givenName
+      displayName: label.attribute-givenName
+    - name: eduPersonAffiliation
+      displayName: label.attribute-eduPersonAffiliation
+    - name: eduPersonScopedAffiliation
+      displayName: label.attribute-eduPersonScopedAffiliation
+    - name: eduPersonPrimaryAffiliation
+      displayName: label.attribute-eduPersonPrimaryAffiliation
+    - name: eduPersonEntitlement
+      displayName: label.attribute-eduPersonEntitlement
+    - name: eduPersonAssurance
+      displayName: label.attribute-eduPersonAssurance
+    - name: eduPersonUniqueId
+      displayName: label.attribute-eduPersonUniqueId
+    - name: employeeNumber
+      displayName: label.attribute-employeeNumber
+  # Custom attributes
+  overrides:
+    # Default overrides
+    - name: signAssertion
+      displayName: label.sign-the-assertion
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.sign-assertion
+      attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions
+      attributeFriendlyName: signAssertions
+    - name: dontSignResponse
+      displayName: label.dont-sign-the-response
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.dont-sign-response
+      attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses
+      attributeFriendlyName: signResponses
+    - name: turnOffEncryption
+      displayName: label.turn-off-encryption-of-response
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.turn-off-encryption
+      attributeName: http://shibboleth.net/ns/profiles/encryptAssertions
+      attributeFriendlyName: encryptAssertions
+    - name: useSha
+      displayName: label.use-sha1-signing-algorithm
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.usa-sha-algorithm
+      persistType: string
+      persistValue: shibboleth.SecurityConfiguration.SHA1
+      attributeName: http://shibboleth.net/ns/profiles/securityConfiguration
+      attributeFriendlyName: securityConfiguration
+    - name: ignoreAuthenticationMethod
+      displayName: label.ignore-any-sp-requested-authentication-method
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.ignore-auth-method
+      persistType: string
+      persistValue: 0x1
+      attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures
+      attributeFriendlyName: disallowedFeatures
+    - name: omitNotBefore
+      displayName: label.omit-not-before-condition
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.omit-not-before-condition
+      attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore
+      attributeFriendlyName: includeConditionsNotBefore
+    - name: responderId
+      displayName: label.responder-id
+      displayType: string
+      defaultValue: null
+      helpText: tooltip.responder-id
+      attributeName: http://shibboleth.net/ns/profiles/responderId
+      attributeFriendlyName: responderId
+    - name: nameIdFormats
+      displayName: label.nameid-format-to-send
+      displayType: set
+      helpText: tooltip.nameid-format
+      defaultValues:
+        - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+        - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+        - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+        - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+      attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence
+      attributeFriendlyName: nameIDFormatPrecedence
+    - name: authenticationMethods
+      displayName: label.authentication-methods-to-use
+      displayType: set
+      helpText: tooltip.authentication-methods-to-use
+      defaultValues:
+        - https://refeds.org/profile/mfa
+        - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
+        - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+      attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods
+      attributeFriendlyName: defaultAuthenticationMethods
+    - name: forceAuthn
+      displayName: label.force-authn
+      displayType: boolean
+      defaultValue: false
+      helpText: tooltip.force-authn
+      attributeName: http://shibboleth.net/ns/profiles/forceAuthn
+      attributeFriendlyName: forceAuthn
+logging:
+  level:
+    org.pac4j: "TRACE"
+    org.opensaml: "INFO"
\ No newline at end of file
diff --git a/testbed/sqlServer/conf/keystore.p12 b/testbed/sqlServer/conf/keystore.p12
new file mode 100644
index 000000000..57f9c162a
Binary files /dev/null and b/testbed/sqlServer/conf/keystore.p12 differ
diff --git a/testbed/sqlServer/conf/users.csv b/testbed/sqlServer/conf/users.csv
new file mode 100644
index 000000000..0ff75785d
--- /dev/null
+++ b/testbed/sqlServer/conf/users.csv
@@ -0,0 +1,2 @@
+root,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,user1@example.org
+admin,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,jj@example.org
\ No newline at end of file
diff --git a/testbed/sqlServer/docker-compose.yml b/testbed/sqlServer/docker-compose.yml
new file mode 100644
index 000000000..a7509fe37
--- /dev/null
+++ b/testbed/sqlServer/docker-compose.yml
@@ -0,0 +1,29 @@
+version: "3.7"
+
+services:
+  db:
+    container_name: db
+    ports:
+      - 1433:1433
+    build:
+      context: .
+      dockerfile: docker/Dockerfile
+    networks:
+      - front
+  shibui:
+    image: unicon/shibui
+    ports:
+      - 8080:8080
+      - 5005:5005
+      - 8443:8443
+    volumes:
+      - ./conf:/conf
+      - ./conf/application.yml:/application.yml
+    depends_on:
+      - db
+    networks:
+      - front
+
+networks:
+  front:
+    driver: bridge
\ No newline at end of file
diff --git a/testbed/sqlServer/docker/Dockerfile b/testbed/sqlServer/docker/Dockerfile
new file mode 100644
index 000000000..4d8379c31
--- /dev/null
+++ b/testbed/sqlServer/docker/Dockerfile
@@ -0,0 +1,9 @@
+FROM mcr.microsoft.com/mssql/server:2019-latest
+
+ENV ACCEPT_EULA=Y
+ENV SA_PASSWORD=Password1
+
+COPY ./docker/scripts /
+
+ENTRYPOINT [ "/bin/bash", "entrypoint.sh" ]
+CMD [ "/opt/mssql/bin/sqlservr" ]
\ No newline at end of file
diff --git a/testbed/sqlServer/docker/scripts/entrypoint.sh b/testbed/sqlServer/docker/scripts/entrypoint.sh
new file mode 100755
index 000000000..8b861beef
--- /dev/null
+++ b/testbed/sqlServer/docker/scripts/entrypoint.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+
+if [ "$1" = '/opt/mssql/bin/sqlservr' ]; then
+  # If this is the container's first run, initialize the application database
+  if [ ! -f /tmp/app-initialized ]; then
+    # Initialize the application database asynchronously in a background process. This allows a) the SQL Server process to be the main process in the container, which allows graceful shutdown and other goodies, and b) us to only start the SQL Server process once, as opposed to starting, stopping, then starting it again.
+    function initialize_app_database() {
+      # Wait a bit for SQL Server to start. SQL Server's process doesn't provide a clever way to check if it's up or not, and it needs to be up before we can import the application database
+      sleep 15s
+
+      #run the setup script to create the DB and the schema in the DB
+      /opt/mssql-tools/bin/sqlcmd -S db -U sa -P Password1 -d master -i setup.sql
+
+      # Note that the container has been initialized so future starts won't wipe changes to the data
+      touch /tmp/app-initialized
+    }
+    initialize_app_database &
+  fi
+fi
+
+exec "$@"
\ No newline at end of file
diff --git a/testbed/sqlServer/docker/scripts/setup.sql b/testbed/sqlServer/docker/scripts/setup.sql
new file mode 100644
index 000000000..9c49fede4
--- /dev/null
+++ b/testbed/sqlServer/docker/scripts/setup.sql
@@ -0,0 +1,10 @@
+CREATE DATABASE shibui;
+GO
+USE shibui;
+GO
+CREATE LOGIN shibui WITH PASSWORD = 'shibuiPass1';
+GO
+CREATE USER shibui FOR LOGIN shibui;
+GO
+EXEC sp_addrolemember 'db_owner', 'shibui';
+GO
\ No newline at end of file